Breach with a Twist: Data Encrypted but Still at Risk

Home health and hospice provider Amedisys is notifying more than 6,900 individuals of a breach of protected health information (PHI), even though the PHI is encrypted.

In most cases under the HIPAA privacy and security rules, if protected health information is compromised but the data is encrypted to industry standards, then it is as if no breach occurred and affected individuals need not be notified. This incident is an exception, as Amedisys in an inventory of its desktop and laptop computers learned that about 142 devices were missing.

These were assigned to clinicians and staff who left the company between 2011 and 2014 and Amedisys did not retrieve the computers. So while the PHI was protected with 256-bit disk encryption, those with the computers still had the encryption key, although they no longer had company network access.

“Amedisys has no indication of external hacking into its network and no evidence that any patients or former patients have suffered any actual harm,” according to a company statement. Affected individuals are being offered credit monitoring and identity theft protection services. The company has contacted with Booz Allen Hamilton to assess and enhance its security and inventory practices.

Protected health information that may have been on the computers—which account for 0.3 percent of Amedisys’ computing devices—include patient name, address Social Security number, birth date, insurance ID number, medical records, and other personally identifiable information. A company spokesperson did not respond to a request for additional information.